Managing Emerging Information Security Risks during Transitions to Integrated Operations

The Norwegian Oil and Gas Industry is adopting new information communication technology to connect its offshore platforms, onshore control centers and the suppliers. The management of the oil companies is generally aware of the increasing risks associated with the transition, but so far, investment in incident response (IR) capability has not been highly prioritized because of uncertainty related to risks and the present reactive mental model for security risk management. In this paper, we extend previous system dynamics models on operation transition and change of vulnerability, investigating the role of IR capability in controlling the severity of incidents. The model simulation shows that a reactive approach to security risk management might trap the organization in low IR capability and lead to severe incidents. With a long-term view, proactive investment in IR capability is of financial benefit.

[1]  Jose J. Gonzalez,et al.  Maintaining Security and Safety in High-Threat E-Operations Transitions , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[2]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[3]  Julie J. C. H. Ryan Information security tools and practices: what works? , 2004, IEEE Transactions on Computers.

[4]  Detmar W. Straub,et al.  Information Security: Policy, Processes, and Practices , 2008 .

[5]  Finn Olav Sveen,et al.  Emergent Vulnerability in Integrated Operations: A Proactive Simulation Study of Risk and Organizational Learning , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[6]  Gurpreet Dhillon,et al.  Managing and controlling computer misuse , 1999, Inf. Manag. Comput. Secur..

[7]  Detmar W. Straub,et al.  Framing the Information Security Process in Modern Society , 2008 .

[8]  Stig Ole Johnsen Mitigating Accidents In Oil And Gas Production Facilities , 2008, Critical Infrastructure Protection.

[9]  Robin M. Ruefle,et al.  Handbook for Computer Security Incident Response Teams (CSIRTs) , 2003 .

[10]  Finn Olav Sveen,et al.  A Dynamic Approach to Vulnerability and Risk Analysis of the Transition to eOperations , 2006 .

[11]  Stig Ole Johnsen,et al.  Enhancing the Safety, Security and Resilience of ICT and Scada Systems Using Action Research , 2009, Critical Infrastructure Protection.

[12]  Richard A. Caralli,et al.  The Challenges of Security Management , 2004 .

[13]  Julia H. Allen,et al.  Governing for Enterprise Security , 2005 .

[14]  Finn Olav Sveen,et al.  Helping prevent information security risks in the transition to integrated operations , 2005 .

[15]  D. L. Simms,et al.  Normal Accidents: Living with High-Risk Technologies , 1986 .